b"              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\n\nManagement of the Federal Energy\nRegulatory Commission's Information\nTechnology Program\n\n\n\n\nDOE/IG-0652                             June 2004\n\x0c\x0c                                                 2\n\nThe effectiveness of the Commission's system development activities could have been improved\nby developing an enterprise architecture, implementing a capital planning and investment control\nprocess, and by thoroughly applying project management techniques. Absent such tools,\nmanagement lacked information needed to determine what systems and features were required\nfor mission accomplishment, could not adequately evaluate progress to completion, or could not\neffectively determine the necessary total system investment. Without improvement, the\nCommission risks incurring unnecessary costs for systems that face premature obsolescence\nbecause they do not meet user needs or satisfy mission requirements.\n\nMANAGEMENT REACTION\n\nManagement generally concurred with the intent of the report's recommendations, but believed\nthat the report did not address the critical issues or actions that the Commission faced in the past\ntwo years in the management of its IT systems. Rather, management felt that many of the issues\nraised in the report had already been identified in an independent study commissioned two years\nago.\n\nWe examined the impact of the Commission's 2002 independent study, the goal of which was to\nevaluate IT management practices. To its credit, as a result of the study, the Commission\nreorganized the Chief Information Officer's office, and refocused its IT related efforts by\nreducing support staff by 50 percent, contracting for needed expertise, and reducing overall costs\nby about $5 million. During our audit, the Commission also finalized its Capital Planning and\nInvestment Control Guide and its System Development Life Cycle Guide. Further, in its\nFY 2005 budget request, the Commission included a performance goal to complete an enterprise\narchitecture by October 2004.\n\nThe Commission's efforts to improve its IT program are noteworthy and, if fully implemented,\nshould provide a structured process for evaluating, selecting, developing, and overseeing projects\nin the future. However, based on our audit of current projects ongoing since completion of the\nindependent study, we concluded that additional action is necessary to enhance software\ndevelopment practices. To that end, we have made several recommendations designed to\nimprove effectiveness of IT management at the Commission.\n\nManagement's comments are summarized beginning on page 4 of the report and are included in\ntheir entirety as Appendix 3.\n\nAttachment\n\ncc:    Executive Director, Federal Energy Regulatory Commission\n       Chief of Staff, Department of Energy\n       Chief Information Officer, Department of Energy\n\x0cREPORT ON MANAGEMENT OF THE FEDERAL ENERGY\nREGULATORY COMMISSION'S INFORMATION\nTECHNOLOGY PROGRAM\n\n\n\n\nTABLE OF\nCONTENTS\n\n\n\n              Systems Planning and Development\n\n              Details of Finding............................................................. 1\n\n              Recommendations .......................................................... 3\n\n              Comments ....................................................................... 4\n\n\n              Appendices\n\n              1. Objective, Scope, and Methodology .......................... 7\n\n              2. Prior Reports.............................................................. 8\n\n              3. Management Comments............................................ 9\n\x0cSYSTEMS PLANNING AND DEVELOPMENT\n______________________________________________________________________\nDevelopment Activities The Federal Energy Regulatory Commission's (Commission)\n                       critical eGovernment development efforts suffered from\n                       incomplete project cost estimates, schedule slippages or faced\n                       premature obsolescence.\n\n                                                     FERC Online\n\n                          Our review of the FERC Online project disclosed that certain\n                          modules had missed target dates or significantly underestimated\n                          project costs. The FERC Online project, initiated in May 2002,\n                          consolidated projects -- some of which had been ongoing since\n                          1998 -- to satisfy the requirements of the Government Paperwork\n                          Elimination Act. The Act established October 2003 as the\n                          deadline for meeting its requirements. Of the six FERC Online\n                          modules with significant development underway, we determined\n                          that four did not meet their initial targeted implementation dates.\n                          FERC Online is currently not scheduled to be fully implemented\n                          until Fiscal Year (FY) 2007 at a total cost of about $31 million.\n                          When complete, its nine individual system development modules\n                          should provide a web-based, integrated system for managing\n                          public and internal documents and information.\n\n                          While the eLibrary initiative (a component of the FERC Online\n                          project) was delayed due to situations beyond the Commission's\n                          control, we noted that management made its decision to initiate\n                          that module without a complete cost estimate. Consequently,\n                          officials did not consider nearly $4.4 million in various costs such\n                          as disaster recovery planning and document conversion when\n                          deciding to go forward.\n\n                          FERC Administrative Management Information System (FAMIS)\n\n                          We also observed that, after only three years of operation, the\n                          Commission decided to replace FAMIS, one of its major systems.\n                          FAMIS was developed and implemented in 1999 to address\n                          Year 2000 remediation concerns and to provide document tracking\n                          and workload management functions. It is being replaced because\n                          it does not meet user needs and is not used extensively. Despite an\n                          investment of $11 million, an internal study noted that the system\n                          was underutilized because it had poorly designed interface screens\n                          and suffered from slow response times. In 2002, management\n                          concluded that the system was not meeting user needs and decided\n                          to phase it out. Efforts are now underway to replace FAMIS with\n                          several other systems being developed under the FERC Online\n                          initiative.\n\n\n\n______________________________________________________________________\nPage 1                                                 Details of Finding\n\x0c______________________________________________________________________\n\nSystems Development   The Commission had not developed organization-wide policies to\nPolicies              guide information technology (IT) acquisitions and development\n                      efforts. Although required by the Clinger-Cohen Act of 1996 and\n                      Office of Management and Budget (OMB) implementing\n                      guidance, the Commission had not prepared an enterprise\n                      architecture to integrate business processes and organizational\n                      goals with IT. While it planned to complete an architecture and\n                      had established a related FY 2003 performance goal, the\n                      Commission did not meet its goal.\n\n                      Absent policies to guide its efforts, many of the Commission's\n                      development projects were initiated without performing needed\n                      planning, capital budgeting, and business process reengineering\n                      studies. Specifically, we noted that key planning studies such as\n                      feasibility, cost-benefit, and return on investment analyses were\n                      never completed for a number of the FERC Online modules.\n                      Cyber related actions such as risk assessments and security\n                      planning had also not been performed to ensure that each of the\n                      modules operated securely. We also observed that the soon to be\n                      phased-out FAMIS project largely automated a number of\n                      inefficient manual processes and was undertaken without business\n                      process reengineering.\n\n                      In addition, the Commission had not always applied project\n                      management techniques for IT investments. The Commission had\n                      not fully implemented a structured system development\n                      methodology to manage its systems development projects although\n                      it had approved the methodology in September 2002. As noted in\n                      Federal guidance, a structured methodology can help ensure that\n                      projects meet their goals by providing a structured series of\n                      development steps. In particular, we found that project cost and\n                      schedule baselines, information essential for executive oversight,\n                      had not been prepared prior to beginning development for six of\n                      the nine FERC Online modules, including the eLibrary module.\n                      Management thus lacked information needed to determine what\n                      systems and features were required for mission accomplishment,\n                      could not adequately evaluate progress to completion, or determine\n                      the total system investment necessary.\n\n\nCost and              The Commission's goal to strategically manage resources through\nImplementation        secure and efficient eGovernment initiatives and through effective\nSchedule              workflow systems may be unattainable without improvement. It\n                      risks incurring unnecessary costs for systems that face premature\n\n\n\n______________________________________________________________________\nPage 2                                                 Details of Finding\n\x0c_____________________________________________________________________\n                          obsolescence because they do not meet users' needs or satisfy\n                          mission requirements. Overall, the Commission's system\n                          developments are at risk of failing to meet the objectives of the\n                          President's Management Agenda for expanding electronic\n                          Government and the Commission's goal to strategically manage\n                          agency resources.\n\n\nOngoing Improvements The Commission has made improvements in managing its IT\nIn Managing IT       activities. Specifically, we noted that it had drafted an initial\nActivities           Enterprise Architecture which management hopes to issue by\n                     October 2004; issued a Capital Planning and Investment Control\n                     Process guide in April 2004; and had begun to implement a\n                     systems development methodology for new projects. Management\n                     also told us that it had initiated the use of Earned Value\n                     Management to determine if an IT development project is cost\n                     effective. Additionally, the Commission had focused training\n                     resources on project management, submitted IT-related\n                     performance measures to OMB along with their business cases for\n                     major systems, drafted a Continuity of Operations Plan, and\n                     updated a Disaster Recovery Plan for mission critical systems.\n\n                          While the above actions are noteworthy, additional actions are\n                          necessary to ensure that key processes are fully implemented to\n                          ensure that IT initiatives are properly managed to help meet user\n                          and mission needs. For instance, the Commission had not\n                          reviewed its ongoing projects to determine to what extent its\n                          system development methodology could be applied. At the time of\n                          our review, only two of the FERC Online modules had\n                          documented risk assessments and none had a security plan. Also,\n                          the Commission had not established project cost baselines for three\n                          of the modules.\n\n\nRECOMMENDATIONS           Although the Commission had made improvements in its systems\n                          development activities, further steps need to be taken to improve\n                          the management of its IT resources. To that extent, we\n                          recommend that the Executive Director:\n\n                          1. Complete the development of and implement an enterprise-\n                             wide architecture to provide a roadmap to guide and direct\n                             acquisitions and development efforts;\n\n\n\n\n______________________________________________________________________\nPage 3                                                Recommendations\n\x0c_____________________________________________________________________\n                     2. Ensure the full implementation of the capital planning and\n                        investment control process for prioritizing, selecting, and\n                        managing investments and ensuring that they are aligned with\n                        the agency's strategic plan and mission;\n                     3. Ensure the full implementation of appropriate project\n                        management techniques to new projects by applying a system\n                        development methodology that provides a structured approach\n                        for designing and developing new information systems; and,\n                     4. Review ongoing development projects and, where appropriate,\n                        ensure that critical development steps are applied to help\n                        ensure their efficient and timely completion.\n\nMANAGEMENT           Management generally concurred with the intent of the report's\nREACTION             recommendations, but believed that the report did not address the\n                     critical issues or actions that the Commission faced in the past two\n                     years in the management of its IT systems. Rather, management\n                     felt the report covered projects initiated prior to improvements\n                     made to its system development methodology and repeated many\n                     of the issues that had already been identified in an independent\n                     study. The study's results prompted a reorganization of the\n                     Commission's Office of the Chief Information Officer resulting in\n                     the use of appropriate management techniques and significant\n                     improvements in operations.\n                     Management indicated that the Commission is on schedule to meet\n                     target dates for FERC Online and that our report used initial rough\n                     order of magnitude estimates in concluding that target dates were\n                     not met. With regard to the eLibrary module of FERC Online,\n                     management stated that our analysis of project cost estimates\n                     incorrectly included costs not associated with development.\n                     Management clarified at the exit conference, that at least some\n                     portion of these costs were related to conversion of archived\n                     records and were, therefore, optional. Management also stated that\n                     planning documents were missing for only small projects that were\n                     part of FERC Online.\n                     With regard to FAMIS, management stated that the system is\n                     meeting mission needs and is expected to have a life-cycle greater\n                     than five years which is comparable to industry standards.\n\nAUDITOR COMMENTS     Management's comments are partially responsive to our\n                     recommendations. Our review included the vast majority of the\n                     active projects in the Commission's system development portfolio,\n                     many of which were initiated prior to 2003. Our review of these\n                     projects included a determination of whether the Commission had\n\n_________________________________________________________________\nPage 4                                                  Comments\n\x0c_____________________________________________________________________\n                     made changes to the projects as a result of improvements it was\n                     making to its systems development methodology. Although an\n                     independent study performed in 2002 did highlight many of the\n                     same problems that we identified, the fact that the Commission had\n                     still not developed an enterprise architecture or fully implemented\n                     a capital planning and investment control process system and a\n                     system development methodology nearly two years later\n                     demonstrate problems in implementing needed corrective actions.\n                     While we agree that management was proactive in performing the\n                     systems study, more needs to be done to ensure that development\n                     problems are addressed in a timely manner. As we have noted in\n                     our report, the Commission has taken a number of positive\n                     corrective actions.\n\n                     We do not concur with a number of management's assertions\n                     regarding the effectiveness of its systems development activities.\n                     Regarding management's statement that it is on target for meeting\n                     FERC Online target dates, we found that four of six modules with\n                     significant development underway did not meet their initial target\n                     implementation dates, including the statutory October 2003\n                     deadline for implementing the requirements of the Government\n                     Paperwork Elimination Act. The target dates management is\n                     currently using to guide the project were revised in 2003 in order\n                     to present realistic implementation dates in response to the Office\n                     of Management and Budget's information technology budget call\n                     for FY 2005. Based on current estimates, however, FERC Online\n                     is not expected to be fully implemented until FY 2007.\n\n                     Also, we do not agree with the Commission's position that costs\n                     for disaster recovery planning and data conversion activities should\n                     not have been considered in its decision to proceed with eLibrary.\n                     Regardless of the timing of these costs, they should have been\n                     considered by the Commission in its decision to proceed with the\n                     eLibrary initiative as required by Office of Management and\n                     Budget circulars.\n\n                     In addition, we do not agree with management's assertion that\n                     planning documents for FERC Online were missing for only small\n                     projects. Specifically, we found that planning documents such as\n                     risk assessments, security plans, and cost and schedule baselines\n                     were missing for major modules of FERC Online, most of which\n                     have incurred actual development costs in excess of $1 million to\n                     date.\n\n\n\n\n_________________________________________________________________\nPage 5                                                  Comments\n\x0c_____________________________________________________________________\n                     Regarding management's assertion that FAMIS is meeting its\n                     mission needs, we found that the Commission's own study showed\n                     that FAMIS had been underutilized from implementation because\n                     of user dissatisfaction. The same study determined that FAMIS\n                     did not meet one of its main reengineering requirements,\n                     automated workload management, which was a primary mission\n                     need.\n\n                     Where appropriate, we have incorporated management's technical\n                     comments in the body of this report. Management's comments are\n                     included in their entirety in Appendix 3.\n\n\n\n\n_________________________________________________________________\nPage 6                                                  Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Federal Energy Regulatory Commission\n              (Commission) had efficiently and effectively managed its system-\n              related investments.\n\n\nSCOPE         The audit was performed between April 2003 and May 2004 at the\n              Federal Energy Regulatory Commission in Washington, DC.\n              Specifically, we performed a comprehensive review of the\n              agency's key processes for managing information technology\n              resources.\n\n\nMETHODOLOGY   To accomplish our objective, we:\n\n              \xe2\x80\xa2   Reviewed applicable laws, regulations, guidance and best\n                  practices pertaining to managing information technology\n                  resources and initiatives. We also reviewed relevant reports\n                  issued by the Office of Inspector General and the General\n                  Accounting Office;\n\n              \xe2\x80\xa2   Reviewed the Government Performance and Results Act of\n                  1993 and determined if performance measures had been\n                  established for managing information technology resources;\n\n              \xe2\x80\xa2   Reviewed numerous documents related to the Commission's\n                  management of information technology resources, including\n                  system development project documentation; and,\n\n              \xe2\x80\xa2   Held discussions with program officials and personnel from the\n                  Commission.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and\n              included tests of internal controls and compliance with laws and\n              regulations to the extent necessary to satisfy the audit objectives.\n              Accordingly, we assessed internal controls regarding the\n              management of the Commission's information technology\n              program. Because our review was limited, it would not necessarily\n              have disclosed all internal control deficiencies that may have\n              existed at the time of our audit. We did not rely on computer-\n              processed data to accomplish our audit objective.\n\n              An exit conference was held with Commission officials on\n              June 24, 2004.\n\n\n\n\nPage 7                                   Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                      PRIOR REPORTS\n\n\n\xe2\x80\xa2   Evaluation of The Federal Energy Regulatory Commission's Cyber Security Program-2003\n    (OAS-L-03-21; September 2003). During the evaluation of the Commission's unclassified\n    cyber security program, we found that significant progress was made in resolving\n    weaknesses reported during the 2002 evaluation. However, plans for maintaining or\n    resuming critical operations in the event of an emergency or disaster had not been completed.\n\n\xe2\x80\xa2   Evaluation Report: The Federal Energy Regulatory Commission's Unclassified Cyber\n    Security Program 2002 (DOE/IG-0569; September 2002). The evaluation of the\n    Commission's unclassified cyber security program found that while a number of protective\n    measures had been implemented, certain critical information systems remained at risk.\n    Cyber protection efforts suffered from program management, planning, and execution\n    weaknesses.\n\n\xe2\x80\xa2   Special Report: The Department of Energy's Implementation of the Clinger-Cohen Act of\n    1996 (DOE/IG-0507; June 2001). The report stated that while the Department had taken\n    action to address certain information technology related management problems, it had not\n    been completely successful in implementing the requirements of the Clinger-Cohen Act of\n    1996. Specifically, the Department had not satisfied major requirements of the Act to\n    develop and implement an integrated, enterprise-wide, information technology architecture;\n    closely monitor policy implementation efforts; and acquire information technology related\n    assets in an effective and efficient manner.\n\n\xe2\x80\xa2   Information Technology: A Framework for Assessing and Improving Enterprise Architecture\n    Management (Version 1.1) (GAO-03-584G; April 2003). In this report, GAO stated that the\n    importance of developing, implementing, and maintaining an enterprise architecture is a\n    basic tenet of both organizational transformation and information technology management.\n    Managed properly, an enterprise architecture could clarify and help optimize the\n    interdependencies and relationships among an organization's business operations and the\n    underlying information technology infrastructure and applications that support these\n    operations. Further, when employed in concert with other important management controls,\n    such as portfolio-based capital planning and investment control practices, architectures can\n    greatly increase the chances that organizations' operational and information technology\n    environments will be configured so as to optimize mission performance.\n\n\n\n\nPage 8                                                                           Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 9       Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 10      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 11      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 12      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 13      Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0652\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report's overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c"